P
US12411939B2ActiveUtilityPatentIndex 60

Vertically integrated automatic threat level determination for containers and hosts in a containerization environment

Assignee: SUSE LLCPriority: Oct 9, 2018Filed: Nov 21, 2023Granted: Sep 9, 2025
Est. expiryOct 9, 2038(~12.3 yrs left)· nominal 20-yr term from priority
Inventors:ROSENDAHL HENRIKHUANG FEIDUAN GANG
G06F 21/577G06F 2221/034G06F 2221/033G06F 21/53
60
PatentIndex Score
0
Cited by
5
References
20
Claims

Abstract

A threat level analyzer probes for one or more threats within an application container in a container system. Each threat is a vulnerability or a non-conformance with a benchmark setting. The threat level analyzer further probes for one or more threats within a host of the container service. The threat level analyzer generates a threat level assessment score based on results from the probing of the one or more threats of the application container and the one or more threats of the host, and generates a report for presentation in a user interface including the threat level assessment score and a list of threats discovered from the probe of the application container and the host. A report is transmitted by the threat level analyzer to a client device of a user for presentation in the user interface.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method, comprising:
 identifying a threat in one or more of an instance or a host of a virtualized system; 
 generating a threat level assessment score based on the threat; 
 generating a report comprising the threat level assessment score and a list of identified threats; and 
 transmitting the report to a user interface of a client device for display in a graphical view that shows the instance as a graphical indicator, the threat level assessment score with an adjacent threat score indicator, and arrow indicators that depict connections between instances. 
 
     
     
       2. The method of  claim 1 , wherein the generating the threat level assessment score further comprises:
 determine that the instance generates requests to access a Wide Area Network (WAN); and 
 increasing the threat level assessment score for the instance by a fixed value in response to it being determined that the instance generates requests to access the WAN. 
 
     
     
       3. The method of  claim 2 , wherein the generating the threat level assessment score further comprises:
 identifying abnormal network behavior of the one or more of the instance or the host; and 
 increasing the threat level assessment score for the one or more of the instance or the host by a fixed value in response to the abnormal network behavior. 
 
     
     
       4. The method of  claim 1 , wherein the identifying the threat further comprises:
 retrieving entries from a threat database, wherein each entry indicates a vulnerability using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature to identify the vulnerability; 
 identifying that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the CVE identifier of an entry of the entries from the threat database; and 
 wherein the generating the threat level assessment score further comprises:
 increasing the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the entry. 
 
 
     
     
       5. The method of  claim 1 , wherein the identifying the threat further comprises:
 retrieving entries from a threat database, wherein each entry indicates a benchmark setting using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature to identify the benchmark setting; 
 identifying that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the benchmark setting of an entry of the entries from the threat database; and 
 wherein the generating the threat level assessment score further comprises:
 increasing the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the benchmark setting corresponding to the entry. 
 
 
     
     
       6. The method of  claim 1 , further comprising:
 determining that the threat level assessment score exceeds a threshold value; and 
 suspending execution of the one or more of the instance or the host in response to a determination that the threat level assessment score for the instance exceeds the threshold value. 
 
     
     
       7. The method of  claim 1 , wherein the system is a container system. 
     
     
       8. A system comprising:
 a processor; and 
 memory storing instructions that, when executed by the processor, configures the processor to:
 identify a threat in one or more of an instance or a host of the virtualized system; 
 generate a threat level assessment score based on the threat; 
 generate a report comprising the threat level assessment score and a list of identified threats; and 
 transmit the report to a user interface of a client device for display in a graphical view that shows the instance as a graphical indicator, the threat level assessment score with an adjacent threat score indicator, and arrow indicators that depict connections between instances. 
 
 
     
     
       9. The system of  claim 8 , wherein when the processor generates the threat level assessment score, the processor is further configured:
 determine that the instance generates requests to access a Wide Area Network (WAN); and 
 increase the threat level assessment score for the instance by a fixed value in response to it being determined that the instance generates requests to access the WAN. 
 
     
     
       10. The system of  claim 9 , wherein when the processor generates the threat level assessment score, the processor is further configured:
 identify abnormal network behavior of the one or more of the instance or the host; and 
 increase the threat level assessment score for the one or more of the instance or the host by a fixed value in response to the abnormal network behavior. 
 
     
     
       11. The system of  claim 8 , wherein when the processor identifies the threat, the processor is further configured:
 retrieve entries from a threat database, wherein each entry indicates a vulnerability using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature used to identify the vulnerability; 
 identify that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the CVE identifier of an entry of the entries from the threat database; and 
 increase the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the entry. 
 
     
     
       12. The system of  claim 8 , wherein when the processor identifies the threat, the processor is further configured:
 retrieve entries from a threat database, wherein each entry indicates a benchmark setting using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature to identify the benchmark setting; 
 identify that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the benchmark setting of an entry of the entries from the threat database; and 
 increase the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the benchmark setting corresponding to the entry. 
 
     
     
       13. The system of  claim 8 , wherein the processor is configured to:
 determine that the threat level assessment score for the instance exceeds a threshold value; and 
 suspend execution of the one or more of the instance or the host in response to a determination that the threat level assessment score for the instance exceeds the threshold value. 
 
     
     
       14. The system of  claim 8 , wherein the system is a container system. 
     
     
       15. A non-transitory computer-readable medium comprising instructions that, when executed by a processor, configure the processor to:
 identify a threat in one or more of an instance or a host of the virtualized system; 
 generate a threat level assessment score based on the threat; 
 generate a report comprising the threat level assessment score and a list of identified threats; and 
 transmit the report to a user interface of a client device for display in a graphical view that shows the instance as a graphical indicator, the threat level assessment score with an adjacent threat score indicator, and arrow indicators that depict connections between instances. 
 
     
     
       16. The non-transitory computer-readable medium of  claim 15 , wherein when the processor generates the threat level assessment score, the processor is further configured to:
 determine that the instance generates requests to access a Wide Area Network (WAN); and 
 increase the threat level assessment score for the instance by a fixed value in response to it being determined that the instance generates requests to access the WAN. 
 
     
     
       17. The non-transitory computer-readable medium of  claim 16 , wherein when the processor generates the threat level assessment score, the processor is further configured to:
 identify abnormal network behavior of the one or more of the instance or the host; and 
 increase the threat level assessment score for the one or more of the instance or the host by a fixed value in response to the abnormal network behavior. 
 
     
     
       18. The non-transitory computer-readable medium of  claim 15 , wherein when the processor identifies the threat, the processor is further configured to:
 retrieve entries from a threat database, wherein each entry indicates a vulnerability using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature to identify the vulnerability; 
 identify that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the CVE identifier of an entry of the entries from the threat database; and 
 increase the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the entry. 
 
     
     
       19. The non-transitory computer-readable medium of  claim 15 , wherein when the processor identifies the threat, the processor is further configured to:
 retrieve entries from a threat database, wherein each entry indicates a benchmark setting using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature used to identify the benchmark setting; 
 identify that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the benchmark setting of an entry of the entries from the threat database; and 
 increase the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the benchmark setting corresponding to the entry. 
 
     
     
       20. The non-transitory computer-readable medium of  claim 15 , wherein the instructions further configure the processor to:
 determine that the threat level assessment score exceeds a threshold value; and 
 suspend execution of the one or more of the instance or the host in response to a determination that the threat level assessment score for the instance exceeds the threshold value.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.